© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Taylor Anderson

Senior Product Manager, Amazon EC2

Amjad Hussain

Senior Manager, Amazon EC2

December 2, 2016

How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with AWS Management

Capabilities

WIN401

What to Expect from the Session

Learn how to:

• Automate AMI building and deployment

• Monitor fleet configuration and inventory

• Ensure instances are patch compliant

What we heard from customers

• Traditional IT tools not built for the cloud

• Managing resources at scale is difficult

• Lack of visibility into configuration and

execution history

• Multiple vendors; complex licensing

Managing cloud and hybrid environments using

traditional tools is complex and costly

Introducing Amazon EC2 Systems Manager

A set of capabilities that enable automated configuration and

ongoing management of systems at scale, across all your

Windows and Linux workloads, running in Amazon EC2 or

on-premises

Systems Manager Capabilities

Run Command Maintenance

Windows

Inventory

State Manager Parameter Store

Patch Manager

Automation

Configuration,

Administration

Update and

TrackShared

Capabilities

Automation

Automation – What we heard

Automation pain point: AMI building

• Triggers: patching, hardening, application bake-in

• Never-ending

• Time consuming, especially when builds fail

• Overhead of maintaining build service

Automation

Introducing Automation

• Simplified automation solution

• Perfect for AMI updates, instance deployment & config

• Pro-active event notifications

• AWS optimized (EC2 Run Command, AWS Lambda, AWS

CloudTrail, IAM, and Amazon CloudWatch integrations)

Automation – Getting Started

1. Create an

automation

document

2. Run automation 3. Monitor your

automation

Automation

Demo

Automation - Documents

Input & output parameters

• Create default values, or assign at run-time

• Parameter Store integration

• System Variables (DATE, DATE_TIME, REGION,

EXECUTION_ID)

Demo examples

Document

Parameter Name

Default Value

sourceAMIid “{{ssm:sourceAMI}}”

targetAMIname “patchedAMI-{{global:DATE_TIME}}”

Automation - Documents

Automation Steps

• Action types:

• runInstances, changeInstanceState, createAMI

• runCommand, invokeLambdaFunction

• Flow control: retries, timeouts, continue/abort

Public Automation Documents

• AWS-UpdateWindowsAmi

• AWS-UpdateLinuxAmi

Automation – IAM Setup

1. Create a Service Role for Automation

• Permission for Automation service to operate in your account

2. Attach PassRole policy to user’s account

3. Launch instances with SSM role (AmazonEC2RoleforSSM)

Automation – Monitoring

• Amazon CloudWatch Events

• Publish notifications to an Amazon SNS topic

• Step-level & automation-level notifications

Inventory

Inventory

What we heard:

• Accurate software inventory is critical for understanding fleet

configuration and license usage

• Legacy solutions not optimized for cloud

• Self-hosting requires additional overhead

Inventory

Introducing Inventory

• End-to-end inventory collection (EC2/on-premises/Workspaces)

• Windows/Linux

• Powerful query

• Extensible inventory schema

• Integrated with AWS services

Inventory – System Diagram

SSMAgent

EC2

Windows

Instance

SSMAgent

EC2

Linux

Instance

SSMAgent

On-

Premises

Instance

AWS SSM Service

State Manager

EC2 Inventory

SSM document

Inventory

Store

EC2 Console,

SSM CLI/APIs

AWS Config

AWS Config

Console + CLI/APIs

Inventory – Getting Started

1. Configure Inventory

policy

2. Apply Inventory

policy

3. Query inventory

Inventory

Demo

Inventory – Configuration

Create an Inventory association

1. Select instances (by instance ID or tag)

2. Select scan frequency (hours, minutes, days, NOW)

3. Select Inventory Types to gather

• Instance information

• Applications

• AWS Components

• Network configuration

• Windows Updates

• Custom Inventory

Inventory – Custom Inventory Type

Custom Inventory Collection

• Extensible: record any attribute for a given instance

• Examples: rack location, BIOS version, firewall settings

Two ways to record custom inventory types

1. Agent/on-instance: Write a cron job to record custom

inventory files to a predefined path

2. API: Use PutInventory API

Inventory Manager

Query

• Search by inventory attribute

• Partial and inverse searches

• Windows 2012 r2 instances running SQL Server 2016 where

Windows Update KB112342 is not installed

Integration with AWS Config

• Record inventory changes over time

• Use AWS Config Rules to monitor changes, notify

• Meet compliance and governance mandates

Patch Manager

Patch Manager

What we heard about patching enterprise systems:

• Time consuming, tedious, repetitive

• Existing solutions are inadequate

• Enterprise patching is manual and complex

• Errors result in downtime, compliance issues

Patch Manager

Announcing Patch Manager

• End-to-End Patching

• Easy to Automate

• Integrated with other AWS Services

• First release: Windows OS patching

Patch Manager – Getting Started

1. Create a Patch

Baseline to define

approved patches

3. Maintenance

Window executes

patching

4. Audit results

with Patch

Compliance

2. Create a

Maintenance Window

to schedule patching for

a set of instances

Patch Manager - Overview

Instance A

Patch Group:Prod

Patch Baseline

- Critical, High

- 5 days or older

1

Maintenance Window

- Sundays @ 1AM

- 2 hrs. long

- Task: Patching

2 3

Patch Compliance

2up to

date

0missing

updates

1error

4

Instance B

Patch Group:Prod Patch Group:Prod

Patch Manager – Patch Baseline

• Auto-approval rules for patches

• Rule criteria

• Product (WS2012 R2)

• MSRC Classification (Critical)

• Approve After (5 days)

• Approved and Rejected patches (KB2032276, KB2124261)

• Register target instances using Patch Group tags

• Example: For Patch Group:Prod instances, approve all Critical

updates for Windows Server 2012 R2 5 days after release, except for

KB2032276

Patch Manager – Maintenance Window

• Define and control when disruptive operations occur

• Schedule (2nd Tuesday of the month)

• Duration

• Target instances (tags or instance IDs)

• Tasks (Run Command)

Patch task uses Run Command with AWS-ApplyPatchBaseline

max instances to patch at a time, error threshold

Patch Manager – Patching your instances

• Register the instances you want to patch as targets

• Register the AWS-ApplyPatchBaseline command as a

task

• Patching will happen during maintenance window

• Patch compliance data collected

Patch Manager – Patch Compliance

• Fleet-wide summary of patch status

• Dashboard shows counts of compliant and non-compliant

instances

Patch Manager

Demo!

Wrapping Up

• Systems Manager available in multiple Regions

• We’d love to hear your feedback

• Join us at the booth!

Thank you!

Remember to complete

your evaluations!